Despite Leaks, Conti Ransomware Attacks Persist 
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In late January 2022, ThreatLabz identified an updated version of Conti ransomware as part 
of the global ransomware tracking efforts. This update was released prior to the massive 
leak of Conti source code and chat logs on Februrary 27, 2022. The leaks were published 
by a Ukrainian researcher after the invasion of Ukraine. However, since these leaks were 
published, the Conti gang has continued to attack organizations and conduct business as 
usual. While two versions of Conti source code have been leaked, the most recent 
ransomware code has not yet been leaked. This blog will highlight the most recent changes 
to the ransomware and how Conti improved file encryption, introduced techniques to better 
evade security software, and streamlined the ransom payment process. 


Technical Analysis 


The most recent Conti update introduced a number of new features and changes to the 
ransomware code. Some of these modifications include new command-line arguments that 
are highlighted in bold in Table 1. 


Command-Line Description 
Argument 


-log Previously used to log ransomware actions; this functionality has 
been removed, but the command-line switch remains an artifact from 
the previous version 
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-path Start encryption using the specified path as the root directory 


-size Size parameter for large file encryption 


-mode Encryption mode /ocal (disks) or net (network shares); the all and 
backups options were removed 


-user Log in to Windows Safe Mode as the specified user 


-pass Log in to Windows Safe Mode as the user with the 
corresponding password 


-safeboot Force reboot the system and launch Conti in Windows Safe 


Mode 


- Disable Windows Safe Mode and reboot the system (used after 
disablesafeboot file encryption occurs in Windows Safe Mode) 


-nomutex Previously used to prevent the creation of a mutex; currently unused 


Table 1. Conti command-line arguments updated in January 2022 


The functionality for the command-line arguments -/og and -nomutex was removed. The 
new command-line parameters that were added are related to features that enable Conti to 
reboot the system in Windows Safe Mode with networking enabled and then start file 
encryption. By booting in Safe Mode, Conti can maximize the number of files that are 
encrypted, because business applications such as databases are likely not running. 
Therefore, those applications will not have open file handles that could prevent file 
encryption. In addition, many security software applications (e.g., antivirus programs) will 
not be loaded by default when the system is running in Safe Mode. The ability to encrypt 
files in Windows Safe Mode is a feature that has been observed in other ransomware 
families including REvil and BlackMatter. 


If the -safeboot command-line argument is provided together with the -user and -pass 
parameters, Conti will use these values to automatically log in with the specified credentials 
when the system is rebooted into Safe Mode. This is performed by setting the registry 
values under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows 
NT\CurrentVersion\Winlogon to the following: 
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AutoAdminLogon = 1 

DefaultUserName = <username> 

DefaultDomainName = <computer_name or domain_name> 
DefaultPassword = <password> 


The -user argument is expected to be in the format: <domain_name>\<username>. 


If the -safeboot command-line argument is passed by itself (without the -user and -pass 
parameters), Conti will search for users that have administrator privileges by searching for 
the security identifier (SID) prefix S-1-5-27 with the relative identifier (RID) -500. 


If Conti is able to locate an administrator account, Conti will execute the commandcmd.exe 
Ic net user <admin> /active:yes to make sure the account is enabled. Conti will then 
attempt to change the password for this account to an empty string by executing the 
command cmd.exe /c net user <admin> "". The corresponding registry values will then be 
set to automatically log in as the administrator in Safe Mode when the system is rebooted. 
Figure 1 shows example registry values set after an administrator account has been set up 
to automatically log in. 
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Figure 1. Example Windows registry modifications made by Conti to automatically log in as 
an administrator 
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In order to execute Conti when the system is booted into Safe Mode, a registry value is 
created under 
HKEY_LOCAL_MACHINE\SOFTWARE\WMicrosoft\Windows\CurrentVersion\RunOnce with 
the name “conti and the value <path_to_conti_executable> -disablesafeboot. 


Conti then executes the command bcedit.exe /set {current} safeboot network and forces 
a system reboot by calling the Windows API function ExitWindowsEx(). This will launch 
Windows in Safe Mode with networking enabled as shown in Figure 2. The network mode is 
enabled, so that Conti can still be used to encrypt files on network shares. 


ows CR) Version 6.1 (Build 7601: Service Pack 1) 
5 8 MB Memory] MultiPro - Kernel 
is booting in safemode - Minimal Services with Network 


Figure 2. Conti booting Windows into Safe Mode with networking enabled to encrypt files 


After Conti has completed file encryption in Safe Mode, it executes the command 
bcedit.exe /deletevalue {current} safeboot and reboots the system. Conti's file encryption 
algorithms remain the same as previous versions with a per file random 256-bit ChaCha 
symmetric key. Each file's ChaCha key is protected by a hardcoded victim-specific 4,096-bit 
RSA public key. 


The new Conti update also added the ability to change desktop wallpaper by writing an 
embedded PNG file to C:\ProgramData\conti.png. An example of the Conti wallpaper image 
is shown in Figure 3. 
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ALL of your files are currently encrypted 
by CONTI strain. 


Find the "readme.txt" file in any folder 
for further instructions. 


Figure 3. Conti PNG image used to set the victim’s desktop wallpaper after file encryption 


The feature to change the wallpaper after file encryption is very common among 
ransomware families to further attract the attention of victims. 


In order to hinder malware analysis, Conti dynamically resolves most Windows API 
functions by using a hash algorithm. In the previous version of Conti, the hash algorithm 
was Murmur2, while the latest version now uses Murmur3. This produces different hash 
values for all API functions that are used by Conti, which may evade security software that 
searches for the corresponding hash values. 


Conti also updated the encrypted file extensions to include uppercase and lowercase 
characters and numbers. The following file extension examples have been observed in 
recent Conti samples: 


e .ZG7Ak 
e .wjzPe 

e .LVOYK 
e .C5SeFx 
e fgM9X 


This encrypted file extension modification may be designed to bypass endpoint security 
software that could identify the previous Conti ransomware pattern that used five uppercase 
letters. 


Conti also updated the ransom note and TOR hidden service URL. An example of a recent 
Conti ransom note is shown below: 
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All of your files are currently encrypted by CONTI strain. If you don't know who we 
are - just "Google it." 


As you already know, all of your data has been encrypted by our software. 
It cannot be recovered by any means without contacting our team directly. 


DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data 
(including the usage of the additional recovery software) can damage your files. 
However, 

if you want to try - we recommend choosing the data of the lowest value. 


DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready 
to publish it on our news website if you do not respond. 
So it will be better for both sides if you contact us as soon as possible. 


DON'T TRY TO CONTACT feds or any recovery companies. 

We have our informants in these structures, so any of your complaints will be 
immediately directed to us. 

So if you will hire any recovery company for negotiations or send requests to the 
police/FBI/investigators, we will consider this as a hostile intent and initiate the 
publication of whole compromised data immediately. 


To prove that we REALLY CAN get your data back - we offer you to decrypt two random 
files completely free of charge. 


You can contact our team directly for further instructions through our website : 


TOR VERSION : 
(you should download and install TOR browser first https://torproject[.]org) 


http://contirec7nchr45rx6ympez5rj. .. vaeywhvoj3wad[ . ]onion/<victim_path> 


YOU SHOULD BE AWARE! 

We will speak only with an authorized person. It can be the CEO, top management, 
etc. 

In case you are not such a person - DON'T CONTACT US! Your decisions and action can 
result in serious harm to your company! 

Inform your supervisors and stay calm! 


The new Conti ransom note is streamlined with a direct link to a victim-specific chat portal. 
Prior versions required a victim to access the portal and then upload their ransom note, 
which contained a unique identifier. 


The latest Conti portal contains a landing page that instructs the user to follow the 
instructions in the README.txt file that is written to disk after file encryption. It no longer 
supports a victim uploading the ransom note to authenticate as shown in Figure 4. 
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If you are looking at this page right now, that means that your network was succesfully 
breac am 


A y hed by CONTI te 
4 All of your files, databases, application files etc were encrypted with military-grade 


algorithms. 
If you are looking for a free decryption tool right now - there's none. 


Antivirus labs, researches, security solution providers, law agencies won't help you to 


( "ON | | decrypt the data 


f 2 ecover If you are interested in this matter - you should check README.TXT file to be 
ver instructions upon decryption 


Tor mirror 


Figure 4. Updated Conti ransom portal landing page 


Conclusion 


In January 2022, Conti introduced new features to bring feature parity with other 
ransomware families including the ability to encrypt files in Windows Safe Mode and change 
the desktop wallpaper. Despite the group's source code and chat logs being leaked online 
in February 2022, Conti continues to conduct ransomware attacks against large 
organizations. ThreatLabz expects the Conti gang to further update the malware and 
potentially rebrand as the source code leaks have damaged their reputation and may lead 
to other criminal groups forking the code. 


Zscaler Cloud Sandbox Detection 
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@zscaler Cloud Sandbox 
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DOWNLOAD SUMMARY ORIGIN 


In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects 
indicators related to the campaign at various levels with the following threat names: 


Win32.Ransom.Conti 


Win64.Ransom.Conti 
Indicators of Compromise 
SHA256 Description 


foa8d48afa7e5535fb 7 1fd22225e86602d4 /dcfaba4924fcbc33aecd9c945847 Conti 
ransomware 


16cc7519945bace49ef729e69db7d19e00252f2bd559903e1631c8878c2360f4 Conti 
ransomware 


€6818bf8c6d20501485fc0cc644d33fcea4bd9a3b45c5d61e98317bda5c080c4 Conti 
ransomware 


182f94d26de58b8b02ddf7223f95d153b5e907fa103c34ed76cae2c816f865f0 Conti 
ransomware 


e€950c625a94ce9e6097 78fcc863255307 74e45572ff58ebc6549e2627941b5cc Conti 
ransomware 
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About ThreatLabz 

ThreatLabz is the security research arm of Zscaler. This world-class team is responsible for 
hunting new threats and ensuring that the thousands of organizations using the global 
Zscaler platform are always protected. In addition to malware research and behavioral 
analysis, team members are involved in the research and development of new prototype 
modules for advanced threat protection on the Zscaler platform, and regularly conduct 
internal security audits to ensure that Zscaler products and infrastructure meet security 
compliance standards. ThreatLabz regularly publishes in-depth analyses of new and 
emerging threats on its portal, research.zscaler.com. 
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